GHSA-p5wf-cmr4-xrwr: Permissive Regular Expression in tacquito
(updated )
The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted.
Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially allowed unauthorized commands to be executed.
References
- github.com/advisories/GHSA-p5wf-cmr4-xrwr
- github.com/facebookincubator/tacquito
- github.com/facebookincubator/tacquito/commit/07b49d1358e6ec0b5aa482fcd284f509191119e2
- github.com/facebookincubator/tacquito/security/advisories/GHSA-p5wf-cmr4-xrwr
- nvd.nist.gov/vuln/detail/CVE-2024-49400
- www.facebook.com/security/advisories/cve-2024-49400
Detect and mitigate GHSA-p5wf-cmr4-xrwr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →